Re: Review Request 51705: Password in the configurations.json file in the ambari-agent cache is not encrypted

Mon, 12 Sep 2016 13:21:07 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51705/
-----------------------------------------------------------

(Updated Sept. 12, 2016, 8:20 p.m.)


Review request for Ambari, Di Li, Jonathan Hurley, and Nate Cole.


Bugs: AMBARI-18334
    https://issues.apache.org/jira/browse/AMBARI-18334


Repository: ambari


Description
-------

The configurations.json file loaded in the ambari-agent cache located at 
/var/lib/ambari-agent/cache/cluster_configuration contains password details in 
plaintext (Ex: ssl.client.keystore.password,ssl.client.truststore.password 
etc.). The values are loaded both in the memory cache and file cache, the file 
seems to be used only for debugging purposes, so it would be a better approach 
to mask the passwords in the file.

Approach:

The password_config_type is included in the heartbeat response for alert 
definition command and execution command, for which the values are dumped into 
the json file. The password_config_type contains the information on which 
properties in the configurations has the propertyType password. Based on the 
response, the json is parsed and the password values are masked before dumping 
it into the configurations.json file.


Diffs (updated)
-----

  ambari-agent/src/main/python/ambari_agent/ClusterConfiguration.py 72b87be 
  ambari-agent/src/test/python/ambari_agent/TestAlerts.py 2bddc43 
  ambari-agent/src/test/python/ambari_agent/TestClusterConfigurationCache.py 
a418f6d 
  
ambari-server/src/main/java/org/apache/ambari/server/actionmanager/ExecutionCommandWrapper.java
 0562c15 
  
ambari-server/src/main/java/org/apache/ambari/server/agent/AlertDefinitionCommand.java
 4d2e048 
  
ambari-server/src/main/java/org/apache/ambari/server/agent/ExecutionCommand.java
 29737ee 
  ambari-server/src/main/java/org/apache/ambari/server/state/ConfigHelper.java 
70c24f9 

Diff: https://reviews.apache.org/r/51705/diff/


Testing
-------

Updated the test cases.
Ran mvn test.

Manually tested by setting up a cluster, the password fields in the 
configurations.json is masked. During testing, everytime the ambari agent is 
restarted, it registers with the server and the memory cache and file cache are 
updated, the alerts in turn uses the value from the memory cache.


Thanks,

Anita Jebaraj

Reply via email to